Articles in this section

GCP Compliance Integration - Invoke Python Scripts from run.sh in a GCP Cloud Shell

The following procedure describes how to create a Lacework GCP Compliance Integration by invoking  Python scripts from the run.sh batch script in a GCP Cloud Shell. This script and additional files can be downloaded from the Lacework csp-integrations GitHub repository as described in more detail below.

The Lacework python script creates a GCP service account with permissions at the organization or project level to audit your GCP resources. To create the Lacework service account (Lacework SA Audit), the GCP user that runs the Python script must have the permissions described below.

Requirements

To install a Lacework GCP Compliance Integration, you must be a Lacework administrator.

Decide if you want to monitor for compliance at the GCP organization or project level and follow the appropriate requirements below.

Organization Integration Requirements

  • The GCP user that runs the Python script in the GCP Cloud Shell must have the following role access at the organization level:
    • roles/owner
    • roles/resourcemanager.organizationAdmin
  • For each project in the organization, the following APIs must be enabled:
    • Identity and Access Management (IAM) API
    • Cloud Resource Manager API

Project Integration Requirements

  • The GCP user that runs the Python script in the GCP Cloud Shell must have the following role access at the organization level:
    • roles/owner
  • The following APIs enabled in the project to be integrated:
    • Identity and Access Management (IAM) API
    • Cloud Resource Manager API

For more information about GCP roles, please see Cloud Identity and Access Management - Understanding Roles.

Open the GCP Cloud Shell, Download the Scripts and Install the Required Python Packages

  1. Log in to the GCP Console.
  2. In the top right corner of the GCP console, select Activate Cloud Shell
    mceclip0.png
    The GCP Cloud Shell opens at the bottom of your console. 
  3. Click the Cloud Shell and enter the following command to get the scripts from GitHub:
    git clone https://github.com/lacework/csp-integrations.git
    The csp-integrations directory is created with the scripts and files required to run the python script.
  4. Go to the directory that contains the GCP scripts: 
    cd csp-integrations/gcp-cfg-cli/
  5. Install the required versions of Python packages:
    pip install --user -r requirements.txt

Run the Script

The script can be run interactively or non-interactively. Lacework recommends running the script interactively to provide a better understanding of the changes being made by Lacework. To run the script interactively, skip to Run the Script Interactively.

Run the Script Non-Interactively

Start the bash shell script with the non-interactive option. The run.sh shell script invokes the integration Python scripts.

bash run.sh --mode non-interactive --id-type <ORGANIZATION|PROJECT> --id <ORG/PROJECT ID> --sa-project-id <SA_PROJECT_ID> --enable-api false --set-iam-policy true
  • id-type - Specify if integrating at the ORGANIZATION or PROJECT level.
  • id - If integrating at the organization level, specify the ORGANIZATION id. If integrating at the project level, specify the PROJECT id.
  • sa-project-id - If integrating at the organization level, you must specify the project in which to create the Lacework SA Audit service account.
  • enable-api - Specify true to have the script enable the necessary APIs and false to enable APIs manually.
  • set-iam-policy - Specify true to have the script modify IAM policy and create roles and false to create roles manually.

The script outputs the values that are required to complete the integration in the Lacework Console.

Run the Script Interactively 

Start the bash shell script with the interactive option. The run.sh shell script invokes the integration Python scripts.

bash run.sh --mode interactive

When launched interactively, the script prompts you to choose between integrating an organization or an individual project:

What do you want to integrate (ORGANIZATION/PROJECT):

After entering 'ORGANIZATION' or 'PROJECT', the script prompts you to enter the appropriate ID.

Enter your PROJECT Id :
Enter your ORGANIZATION Id :

If integrating at the organization level, you are prompted to choose a project where the Lacework SA Audit service account will be created.

Projects
+-----+---------------------+------------------+
| No. | Project Id | Project Name              |
+-----+---------------------+------------------+
|  1  | project-id | My First Project          |
+-----+---------------------+------------------+
Enter the projectId where you want to create the Service Account: 1

After choosing a project or if integrating a single project, the script lists the APIs that will be enabled and used.  Enter Yes if you want the script to enable the APIs.

APIs to be enabled
+-----+-------------------------------------+
| No. | API |
+-----+-------------------------------------+
|  1  | iam.googleapis.com                  |
|  2  | cloudkms.googleapis.com             |
|  3  | cloudresourcemanager.googleapis.com |
|  4  | compute.googleapis.com              |
|  5  | dns.googleapis.com                  |
|  6  | monitoring.googleapis.com           |
|  7  | logging.googleapis.com.             |
|  8  | storage-component.googleapis.com    |
+-----+-------------------------------------+
Projects
+-----+---------------------+------------------+
| No. | Project Id | Project Name              |
+-----+---------------------+------------------+
|  1  | sharp-matter-228919 | My First Project |
+-----+---------------------+------------------+
Do You want to enable APIs in the projects(yes/no):

After confirming the APIs, the script lists the roles that will be assigned to the Lacework SA Audit service account and prompts for confirmation.

Organization Integration

Roles Required
+-----+------------------------------------------+
| No. | Role                                     |
+-----+------------------------------------------+
|  1  | roles/resourcemanager.organizationViewer |
|  2  | roles/viewer                             |
+-----+------------------------------------------+
Do you want to modify ORGANIZATION IAM Policy(yes/no):

Project Integration

Roles Required
+-----+--------------+
| No. | Role         |
+-----+--------------+
|  1  | roles/viewer |
+-----+--------------+
Do you want to modify PROJECT IAM Policy(yes/no):

The script displays your choice and prompts for additional confirmation.

Modify ORGANIZATION IAM Policy
True
----------------------------------------
Do You Want to continue(yes/no):

The script completes and outputs the data required to complete the integration in the Lacework Console.

Id Type
PROJECT
Id
project-id-938457
Client Email
lacework-cfg-sa@project-id-938457.iam.gserviceaccount.com
Client Id
034728346290337494836
Private Key Id
65ab34c6987dcc83d345ca03d4823aa7b42136c6
Private Key
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Complete the Integration

Log in to the Lacework Console with a user that has Lacework administrator privileges. From the Lacework Console, select Integrations > GCP,  and click + ADD INTEGRATION. Copy the script output into the matching fields in the Lacework Console and click Save. Copy the entire private key including the following start and end tags:

-----BEGIN PRIVATE KEY-----
key
-----END PRIVATE KEY-----